WHM SSL Certificate Installation Failures: Causes, Fixes, and What to Check First

Overview

WHM SSL certificate installation should be a five-minute job. In practice, it often isn’t. Whether you’re installing a third-party SSL certificate for a reseller client, securing a hostname, or deploying a wildcard cert across multiple accounts, WHM SSL certificate installation failures can block you at several different points — and the errors WHM surfaces aren’t always obvious about the real cause.

The failures covered here affect all WHM environments: cPanel/WHM on VPS, dedicated servers, and shared hosting infrastructure. They’re common across cPanel versions 110 through 124 (current as of 2026). If you’re running a reseller operation managing multiple accounts, SSL issues at the WHM level can cascade — so it’s worth understanding what’s actually going wrong rather than just clicking through until something sticks.

This article assumes you’re either installing a manually obtained SSL certificate through WHM’s SSL/TLS Manager or troubleshooting a failed AutoSSL run. Both failure modes overlap in some areas.

Prerequisites

• Root or reseller access to WHM (reseller accounts may have limited SSL management — see Reseller Hosting plan details for permission scope)
• The SSL certificate file (.crt), private key (.key), and CA bundle / intermediate chain (.ca-bundle or .pem) from your certificate authority
• The domain’s DNS already pointing to the server (for DV and AutoSSL certificates — DNS must be fully propagated before validation)
• SSH access to the server for any command-line verification steps
• OpenSSL installed on the server (standard on all cPanel servers)
• The domain hosted on this WHM server — seems obvious, but worth checking if you manage multiple servers

Step-by-Step: Installing an SSL Certificate in WHM

1. Log in to WHM at https://your-server-ip:2087 with root credentials.
2. Navigate to SSL/TLS: In the left sidebar, go to SSL/TLS > Install an SSL Certificate on a Domain.
3. Verify your certificate, key, and CA bundle before pasting anything. This is the step most people skip — and it’s the single biggest source of installation failures. Run these checks via SSH first:
   Copied to clipboard

   # Check the certificate details
   openssl x509 -in your_cert.crt -noout -text | grep -E "Subject:|DNS:|Not After"
   
   # Check the private key modulus
   openssl rsa -in your_key.key -noout -modulus | md5sum
   
   # Check the certificate modulus — these two md5 values MUST match
   openssl x509 -in your_cert.crt -noout -modulus | md5sum

   If those two MD5 hashes don’t match, your private key doesn’t correspond to that certificate. That’s the most common single cause of WHM SSL installation failures.

4. Verify the CA bundle chain is complete. A missing or broken intermediate chain causes installation to appear successful in WHM but results in browser “untrusted” errors and failed validation by external services.
   Copied to clipboard

   openssl verify -CAfile your_ca_bundle.crt your_cert.crt

   Expected output: your_cert.crt: OK. Anything else means the chain is incomplete or the wrong CA bundle was used for this certificate.

5. Paste certificate contents into WHM:
   • In the Certificate field, paste the full contents of your .crt file, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
   • In the Private Key field, paste the full contents of your .key file
   • In the Certificate Authority Bundle field, paste the contents of your .ca-bundle or .pem intermediate chain file

   📝 Note: If you have multiple intermediate certificates, paste them all in the CA Bundle field, chained together (one after the other, no blank lines between them).

6. Click Install Certificate. WHM will attempt to write the certificate to the Apache/Nginx configuration and restart the web service. If this step fails, the error message will appear inline — see the Troubleshooting section below for specific errors.
7. Verify the installation from outside the server:
   Copied to clipboard

   openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates

   This confirms what certificate the server is actually serving — not just what WHM thinks is installed.

⚠ Warning: Don’t restart Apache manually mid-installation. WHM handles the service restart as part of the install process. Restarting Apache separately before WHM finishes writing the vhost configuration can corrupt the SSL virtual host entry for that domain.

Common Issues and Troubleshooting

“The certificate’s common name does not match the domain”

Cause: The certificate was issued for a different domain name than the one you’re trying to install it on. This also fires if you’re installing a www.domain.com certificate on the bare domain.com hostname without a SAN entry covering both.

Fix: Run openssl x509 -in your_cert.crt -noout -text | grep -A1 "Subject Alternative Name" and compare the listed domains against what you’re installing on. If the names don’t match, you need a reissued certificate — no workaround on this one.

“The private key does not match the certificate”

Cause: The private key you’re providing was not generated with the CSR that was used to obtain this certificate. This happens when CSRs are regenerated (invalidating the original key), or when keys are accidentally swapped across multiple certificate orders.

Fix: Compare modulus hashes as shown in Step 3 above. If they don’t match, you’ll need to generate a new CSR/key pair and reissue the certificate from your CA. Most CAs allow a free reissue within the certificate’s validity period.

AutoSSL fails with “DCV Error: The domain resolved to an IP address that does not exist on this server”

Cause: The domain’s DNS is pointing to a different IP address than the one WHM is checking against. This is common right after a server migration, or when a CDN (like Cloudflare) is proxying the domain.

Fix: If the domain is behind Cloudflare, temporarily set the DNS record to DNS-only (grey cloud) for the AutoSSL validation to complete. After the certificate installs, re-enable proxying. For recently migrated domains, wait for DNS propagation or manually verify with dig +short yourdomain.com A to confirm the IP matches your server’s public IP.

📝 Note: This error is annoyingly common and the official cPanel documentation undersells how often CDN proxying is the actual cause.

Certificate installs but browsers still show “Not Secure” or an untrusted issuer warning

Cause: The CA bundle (intermediate chain) is missing or incomplete. WHM accepted the install, but the certificate chain served to browsers is broken. Browsers that don’t have the intermediate cached will reject it.

Fix: Re-install the certificate and make sure you include the full CA bundle. You can get the correct chain from your CA’s support site, or use a tool like SSL Labs (ssllabs.com/ssltest) to identify exactly which intermediate is missing. Then reinstall through WHM with the complete chain in the CA Bundle field.

WHM shows “Certificate installation failed” with no additional detail

Cause: Usually an Apache configuration conflict — a malformed existing SSL vhost, a duplicate certificate entry, or a file permission issue under /var/cpanel/ssl/.

Fix: Check the Apache error log immediately after the failure:

tail -100 /usr/local/apache/logs/error_log | grep -i ssl

Also check the cPanel SSL installation log:

tail -50 /usr/local/cpanel/logs/error_log

If you see a duplicate certificate error, there may be a stale SSL entry for the domain. You can remove it via WHM under SSL/TLS > Manage SSL Hosts, delete the old entry, and retry the install.

FAQ